How is AgentChannel different from Shopify's free Agentic Storefronts page?

Shopify gets you listed and shows a few basic metrics. It does not tell you how you show up in its AI agent catalog, whether it is sending shoppers to resellers and competitors instead of you, or where it is getting your facts wrong. AgentChannel shows you that, then points you at the exact Shopify fields to fix.

Which AI does AgentChannel check today?

Today the audit reads Shopify's AI agent catalog, the shelf that feeds Shopify's agentic shopping surfaces, plus the facts on your own storefront. Direct reads of ChatGPT, Gemini, Copilot, and Perplexity are coming next. We report what we can see today and label what is on the way.

What's in the free public audit?

A read of how your store shows up in Shopify's AI agent catalog: whether you appear when an agent searches your brand, whether resellers outrank you, and where the facts are wrong. It runs on your public storefront, no install and no email required to see your top findings.

Does AgentChannel touch my checkout or payments?

No. AgentChannel is an oversight layer above the transaction — it never intermediates your cart or checkout. The free no-install audit reads only your public storefront. Once installed, the app reads your order data to rank your products by recent sales, but never your customers' personal details and never your payment card data. Order-to-agent attribution is rolling out with the paid plan. Shopify and your payment processor run the transaction exactly as they do today.

Can AgentChannel tell which AI tools are driving my orders?

The installed app reads your order data today (to rank your catalog by recent sales), and order-to-agent attribution is rolling out with the paid plan: exact on AI sales channels, best-effort on referrals. The platforms still expose no per-order agent identity, so we won't overstate it. The free no-install audit does not read orders.

How do agent-driven orders pay?

This is on the way as a paid feature. The plan is to read the payment details on each order (card brand, issuer, and wallet such as Shop Pay or Apple Pay) and break them down by the channel the order came from. We label it coming, not live.

What does AgentChannel cost?

AgentChannel is free to start: the audit of how you show up in Shopify's AI agent catalog, the exact Shopify field to fix each gap, and re-running it any time, with no install and no card. Paid plans come later, only for features that are live, so you always know what you are paying for.

Data Processing Agreement

Last updated: 2026-06-25

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between LAN Holdings LLC, which operates AgentChannel (“we,” “us,” the processor), and the Shopify merchant that installs or uses AgentChannel (“you,” the controller). You accept this DPA when you accept the Terms on install. It must be in place before we process any personal data subject to the GDPR, and it governs over the Terms for any conflict about personal data.

1. Roles of the parties

For your customers’ personal data, you are the data controller and AgentChannel is your processor, processing on your behalf. Where you are yourself a processor for your own controller, AgentChannel is a subprocessor, and Module Three of the EU Standard Contractual Clauses applies in place of Module Two for any restricted transfer.

2. Processing of your personal data

We process your personal data only on your documented instructions, namely: (a) to provide and maintain the Service; (b) as further specified through your use of the Service; (c) as set out in the Terms and this DPA; and (d) as set out in any other written instructions you give and we acknowledge. We will follow those instructions unless prohibited by applicable law, and we will inform you if we cannot follow an instruction or if, in our opinion, an instruction infringes applicable data-protection law (without obligation to give legal advice). You confirm you have made all disclosures, obtained all consents, and have a lawful basis for providing the personal data to us. If we update the Service in a way that changes the categories of data subjects or personal data, the nature or purpose, or the transfer details, we will update the annexes below and notify you.

3. Confidentiality and security

We ensure that personnel authorized to process your personal data are bound by a duty of confidentiality and process the data only as instructed. We implement and maintain the technical and organizational measures described in Annex II, appropriate to the risk, to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

4. Subprocessors

You give us general written authorization to engage the subprocessors listed in Annex III. We will give you at least 10 business days’ notice before adding or replacing a subprocessor (by email to your shop’s contact address and/or an in-app or website notice), and you have 30 days after notice to object on reasonable data-protection grounds; if you do, we will work with you in good faith to resolve it, and if we cannot you may terminate the affected part of the Service and uninstall. We impose data-protection obligations on each subprocessor that are no less protective than this DPA, by written contract, and we remain liable to you for each subprocessor’s performance.

5. International transfers

We store and process your personal data in the United States (a database in the us-east-1 region). For personal data of individuals in the EEA whose transfer is protected by the GDPR and not covered by an adequacy decision, the EU Standard Contractual Clauses (the clauses annexed to European Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA and the parties are deemed to have signed them: Module Two (controller to processor) applies when you are a controller, and Module Three (processor to subprocessor) applies when you are a processor. For UK personal data, the UK International Data Transfer Addendum issued by the ICO applies; for Swiss data, references to the GDPR are read as references to the Swiss FADP. The annexes to this DPA populate the information required by those clauses. We do not currently rely on the EU–U.S. Data Privacy Framework.

6. Personal-data breaches

On becoming aware of a personal-data breach affecting your personal data, we will notify you without undue delay and no later than 72 hours after becoming aware, provide the information reasonably available to help you meet your own obligations, and take reasonable steps to contain and investigate. Our notification is not an admission of fault.

7. Assisting you

Taking into account the nature of the processing and the information available to us, we will assist you, by appropriate technical and organizational measures and insofar as possible, to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection, opt-out) and to meet your obligations around security, breach notification, and data-protection impact assessments and prior consultations. If a data subject contacts us directly about data we process on your behalf, we will refer them to you as the controller. If we receive a legal demand for your personal data, we will, unless legally prohibited, notify you and not respond without your prior consent except as required by law.

8. Audits

We will make available the information reasonably necessary to demonstrate our compliance with this DPA and Article 28 of the GDPR, and will allow for and contribute to audits, including inspections, on reasonable prior notice and subject to confidentiality. We may satisfy audit requests by providing relevant security information or a then-current third-party audit report where available, and we may restrict access where it would compromise security, confidentiality, or other legal obligations.

9. Deletion

On termination of the Service, or on your request, we will delete your personal data, except where retention is required by law. In practice: on uninstall your data is immediately hidden and processing stops; about 48 hours later Shopify sends a shop/redact signal and we permanently delete your records; residual encrypted backups expire within about 7 days. We retain only a minimal compliance log recording the fact of deletion (not the deleted personal data). Customer-level access and deletion requests are handled through the Shopify customers/data_request and customers/redact webhooks, which we implement.

10. CCPA / CPRA

To the extent we process personal information subject to the CCPA, we act as a service provider. We will not sell or share that personal information, and will not retain, use, or disclose it for any purpose other than the business purposes specified in the Terms or outside the direct business relationship, and not combine it with personal information from other sources except as the CCPA permits. We certify that we understand and will comply with these restrictions, and we will assist you in responding to verifiable consumer requests.

11. Liability and term

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service; this does not limit any liability to a data subject under applicable data-protection law or under the Standard Contractual Clauses. This DPA takes effect when you accept the Terms and continues until we have deleted all of your personal data in accordance with it.

Annex I — Description of the transfer

This Annex populates the information required by Annex I of the EU Standard Contractual Clauses (and, for UK data, the corresponding parts of the UK Addendum tables below).

A. List of parties
Party	Details
Data exporter	Name: the Shopify merchant that installs or uses AgentChannel (you). Role: controller of your customers’ personal data (or processor, in which case Module Three applies). Activities relevant to the transfer: operating a Shopify store and instructing AgentChannel to audit it and apply the catalog fixes you authorize. Contact: the notice address in your Shopify account.
Data importer	Name: LAN Holdings LLC d/b/a AgentChannel, a Maryland limited liability company, United States. Role: processor. Activities relevant to the transfer: providing the AgentChannel Service described in Section B below. Contact: support@agentchannel.app.

The parties are deemed to have signed these Clauses on the date you accept the Terms on install (Section 5).

B. Description of the transfer
Categories of data subjects	Your customers / end-shoppers (only via pseudonymized order references) and your authorized staff who use AgentChannel.
Categories of personal data	Order identifiers; the Shopify customer identifier, retained only as a deletion and data-request key (it is not hashed; we hold no name, email, phone, or address linked to it); the referral or channel an order came from (publication name, source hostname, UTM parameters, referrer URL); per-line-item quantity and discounted price; and aggregate per-product sales totals. We do not process your customers’ names, email addresses, phone numbers, or postal addresses, and never payment card data.
Sensitive data	None. No special categories of data are transferred, so no additional restrictions or safeguards are required.
Frequency of the transfer	Continuous, for the term of your install (and, for the order-derived data, only while those features are enabled for your store).
Nature of the processing	Hosting, storage, computation, and deletion of the data above to provide the Service: the deterministic AI Readiness Audit; merchant-authorized catalog fixes (including AI-assisted drafting of store policies and product descriptions from your business content — see the AI Addendum); and, when enabled, order-to-AI-agent attribution and per-product sales ranking.
Purpose of the transfer and further processing	Providing the AgentChannel Service to you as described in the Terms, this DPA, and the AI Addendum; no other purpose.
Retention period	For the term of your install, then deleted as in Section 9 (no separate retention period).
Recipients and onward transfers	The subprocessors listed in Annex III (located in the United States); no other onward transfers.
Transfers to (sub-)processors	Each subprocessor in Annex III that receives personal data described above processes it only for the subject matter, nature, and duration set out above, solely to provide the Service. Subprocessors that do not receive this personal data (for example, marketing-website analytics) are identified in Annex III.

Although we read no direct identifiers, pseudonymized order records remain personal data under the GDPR (Recital 26) and personal information under the CCPA; this DPA treats them as such.

C. Competent supervisory authority
Competent supervisory authority	The supervisory authority of your EEA establishment or, where you have none, of the EEA member state of your EU representative; where the Clauses require a single authority and none of the above applies, the Irish Data Protection Commission (DPC).

Annex I-UK — UK International Data Transfer Addendum

For transfers of UK personal data, the parties enter into the UK International Data Transfer Addendum to the EU SCCs (the “UK Addendum”) issued by the Information Commissioner’s Office. The UK Addendum’s tables are completed as follows.

Table 1: Parties
Start date	The date you accept the Terms on install.
The parties	Exporter: the Shopify merchant (you). Importer: LAN Holdings LLC d/b/a AgentChannel. Full details are in Annex I.A above.
Key contacts	Exporter: the notice address in your Shopify account. Importer: support@agentchannel.app.

Table 2: Selected SCCs, modules and selected clauses
Addendum EU SCCs	The EU SCCs annexed to Commission Implementing Decision (EU) 2021/914, as incorporated into Section 5 of this DPA.
Module in operation	Module Two (controller to processor), or Module Three (processor to processor) where you are a processor.
Clause 9 (subprocessors)	Option 2 (general written authorization); minimum 10 business days’ notice of changes, as in Section 4.
Clause 17 (governing law) & Clause 18 (forum)	For the EU SCCs as applied to UK data through the UK Addendum, the law and courts of England and Wales; the Irish DPC remains the Annex I.C authority for EEA data.

Table 3: Appendix information
Annex 1A (list of parties)	As set out in Annex I.A above.
Annex 1B (description of transfer)	As set out in Annex I.B above.
Annex II (technical and organizational measures)	As set out in Annex II below.
Annex III (list of subprocessors)	As set out in Annex III below.

Table 4: Ending this Addendum when the Approved Addendum changes
Which parties may end this Addendum	The data importer (AgentChannel) may end this Addendum as set out in Section 19 of the UK Addendum if the ICO issues a revised Approved Addendum, without prejudice to the transfer protections that continue to apply.

Annex II — Security measures

Encryption in transit (TLS) for all connections, and encryption at rest, including AES-256-GCM for Shopify access tokens.
Database row-level security isolating each store’s data from every other store; service-role access restricted and scoped per store.
Pseudonymization of customer references; no direct customer identifiers stored.
Data minimization to subprocessors; the job queue receives shop domain and job triggers (and, for mandatory GDPR-deletion jobs, the customer or order identifier needed to locate and erase records), not catalog contents and never customer names, email addresses, phone numbers, or postal addresses.
Implemented Shopify compliance webhooks performing real deletion, with a durable compliance audit log; logging and alerting of failures.
Personnel confidentiality obligations; least-privilege access; vulnerability disclosure via support@agentchannel.app.

Annex III — Subprocessors

Authorized subprocessors
Subprocessor	Location	Processing task
Supabase	USA (us-east-1)	Managed database storing audit results, order-derived attribution/sales aggregates, and encrypted tokens.
Vercel (including its AI gateway)	USA / global edge	Application hosting and routing of the AI calls used for paid-plan fixes.
Inngest	USA	Background-job orchestration; receives your shop domain and job triggers (and, for GDPR-deletion jobs, the customer or order identifier needed to erase records), not catalog contents and never customer names, emails, phone numbers, or addresses.
Resend	USA	Transactional, compliance, and free-audit-report email.
Anthropic and OpenAI	USA (via the Vercel AI gateway)	AI providers that draft store policies and product descriptions from your business content for paid-plan fixes; they receive only that content, never customer personal data, and do not train models on it.
Google Analytics	USA	Marketing-website analytics only (not app or customer data).

Shopify, Inc. is the platform and the source of the store data we read; it is your own processor for the underlying store and customer data, not our subprocessor under this DPA.

Contact

Data-protection questions or requests: support@agentchannel.app.

Portions of this agreement are adapted from Common Paper standard agreements, © Common Paper, licensed under CC BY 4.0 (modified). The EU Standard Contractual Clauses and UK Addendum are the instruments of the European Commission and the UK ICO.